diff options
-rw-r--r-- | server/controllers/api/remote.js | 2 | ||||
-rw-r--r-- | server/helpers/peertube-crypto.js | 48 | ||||
-rw-r--r-- | server/helpers/requests.js | 17 | ||||
-rw-r--r-- | server/middlewares/secure.js | 28 | ||||
-rw-r--r-- | server/middlewares/validators/remote.js | 10 | ||||
-rw-r--r-- | server/models/request.js | 3 |
6 files changed, 7 insertions, 101 deletions
diff --git a/server/controllers/api/remote.js b/server/controllers/api/remote.js index 35f386ba6..f1046c534 100644 --- a/server/controllers/api/remote.js +++ b/server/controllers/api/remote.js | |||
@@ -15,9 +15,7 @@ const Video = mongoose.model('Video') | |||
15 | 15 | ||
16 | router.post('/videos', | 16 | router.post('/videos', |
17 | validators.signature, | 17 | validators.signature, |
18 | validators.dataToDecrypt, | ||
19 | secureMiddleware.checkSignature, | 18 | secureMiddleware.checkSignature, |
20 | secureMiddleware.decryptBody, | ||
21 | validators.remoteVideos, | 19 | validators.remoteVideos, |
22 | remoteVideos | 20 | remoteVideos |
23 | ) | 21 | ) |
diff --git a/server/helpers/peertube-crypto.js b/server/helpers/peertube-crypto.js index 1ff638b04..2e07df00e 100644 --- a/server/helpers/peertube-crypto.js +++ b/server/helpers/peertube-crypto.js | |||
@@ -16,8 +16,6 @@ const peertubeCrypto = { | |||
16 | comparePassword, | 16 | comparePassword, |
17 | createCertsIfNotExist, | 17 | createCertsIfNotExist, |
18 | cryptPassword, | 18 | cryptPassword, |
19 | decrypt, | ||
20 | encrypt, | ||
21 | sign | 19 | sign |
22 | } | 20 | } |
23 | 21 | ||
@@ -57,34 +55,6 @@ function cryptPassword (password, callback) { | |||
57 | }) | 55 | }) |
58 | } | 56 | } |
59 | 57 | ||
60 | function decrypt (key, data, callback) { | ||
61 | fs.readFile(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', function (err, file) { | ||
62 | if (err) return callback(err) | ||
63 | |||
64 | const myPrivateKey = ursa.createPrivateKey(file) | ||
65 | const decryptedKey = myPrivateKey.decrypt(key, 'hex', 'utf8') | ||
66 | const decryptedData = symetricDecrypt(data, decryptedKey) | ||
67 | |||
68 | return callback(null, decryptedData) | ||
69 | }) | ||
70 | } | ||
71 | |||
72 | function encrypt (publicKey, data, callback) { | ||
73 | const crt = ursa.createPublicKey(publicKey) | ||
74 | |||
75 | symetricEncrypt(data, function (err, dataEncrypted) { | ||
76 | if (err) return callback(err) | ||
77 | |||
78 | const key = crt.encrypt(dataEncrypted.password, 'utf8', 'hex') | ||
79 | const encrypted = { | ||
80 | data: dataEncrypted.crypted, | ||
81 | key: key | ||
82 | } | ||
83 | |||
84 | callback(null, encrypted) | ||
85 | }) | ||
86 | } | ||
87 | |||
88 | function sign (data) { | 58 | function sign (data) { |
89 | const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem')) | 59 | const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem')) |
90 | const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex') | 60 | const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex') |
@@ -151,21 +121,3 @@ function generatePassword (callback) { | |||
151 | callback(null, buf.toString('utf8')) | 121 | callback(null, buf.toString('utf8')) |
152 | }) | 122 | }) |
153 | } | 123 | } |
154 | |||
155 | function symetricDecrypt (text, password) { | ||
156 | const decipher = crypto.createDecipher(algorithm, password) | ||
157 | let dec = decipher.update(text, 'hex', 'utf8') | ||
158 | dec += decipher.final('utf8') | ||
159 | return dec | ||
160 | } | ||
161 | |||
162 | function symetricEncrypt (text, callback) { | ||
163 | generatePassword(function (err, password) { | ||
164 | if (err) return callback(err) | ||
165 | |||
166 | const cipher = crypto.createCipher(algorithm, password) | ||
167 | let crypted = cipher.update(text, 'utf8', 'hex') | ||
168 | crypted += cipher.final('hex') | ||
169 | callback(null, { crypted: crypted, password: password }) | ||
170 | }) | ||
171 | } | ||
diff --git a/server/helpers/requests.js b/server/helpers/requests.js index 06109ce16..b0cda09fe 100644 --- a/server/helpers/requests.js +++ b/server/helpers/requests.js | |||
@@ -44,21 +44,8 @@ function makeSecureRequest (params, callback) { | |||
44 | 44 | ||
45 | // If there are data informations | 45 | // If there are data informations |
46 | if (params.data) { | 46 | if (params.data) { |
47 | // Encrypt data | 47 | requestParams.json.data = params.data |
48 | if (params.encrypt === true) { | 48 | request.post(requestParams, callback) |
49 | peertubeCrypto.encrypt(params.toPod.publicKey, JSON.stringify(params.data), function (err, encrypted) { | ||
50 | if (err) return callback(err) | ||
51 | |||
52 | requestParams.json.data = encrypted.data | ||
53 | requestParams.json.key = encrypted.key | ||
54 | |||
55 | request.post(requestParams, callback) | ||
56 | }) | ||
57 | } else { | ||
58 | // No encryption | ||
59 | requestParams.json.data = params.data | ||
60 | request.post(requestParams, callback) | ||
61 | } | ||
62 | } else { | 49 | } else { |
63 | // No data | 50 | // No data |
64 | request.post(requestParams, callback) | 51 | request.post(requestParams, callback) |
diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js index fd5bc51d6..ee836beed 100644 --- a/server/middlewares/secure.js +++ b/server/middlewares/secure.js | |||
@@ -7,15 +7,14 @@ const peertubeCrypto = require('../helpers/peertube-crypto') | |||
7 | const Pod = mongoose.model('Pod') | 7 | const Pod = mongoose.model('Pod') |
8 | 8 | ||
9 | const secureMiddleware = { | 9 | const secureMiddleware = { |
10 | checkSignature, | 10 | checkSignature |
11 | decryptBody | ||
12 | } | 11 | } |
13 | 12 | ||
14 | function checkSignature (req, res, next) { | 13 | function checkSignature (req, res, next) { |
15 | const host = req.body.signature.host | 14 | const host = req.body.signature.host |
16 | Pod.loadByHost(host, function (err, pod) { | 15 | Pod.loadByHost(host, function (err, pod) { |
17 | if (err) { | 16 | if (err) { |
18 | logger.error('Cannot get signed host in decryptBody.', { error: err }) | 17 | logger.error('Cannot get signed host in body.', { error: err }) |
19 | return res.sendStatus(500) | 18 | return res.sendStatus(500) |
20 | } | 19 | } |
21 | 20 | ||
@@ -24,7 +23,7 @@ function checkSignature (req, res, next) { | |||
24 | return res.sendStatus(403) | 23 | return res.sendStatus(403) |
25 | } | 24 | } |
26 | 25 | ||
27 | logger.debug('Decrypting body from %s.', host) | 26 | logger.debug('Checking signature from %s.', host) |
28 | 27 | ||
29 | const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature) | 28 | const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature) |
30 | 29 | ||
@@ -32,30 +31,11 @@ function checkSignature (req, res, next) { | |||
32 | return next() | 31 | return next() |
33 | } | 32 | } |
34 | 33 | ||
35 | logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.host) | 34 | logger.error('Signature is not okay in body for %s.', req.body.signature.host) |
36 | return res.sendStatus(403) | 35 | return res.sendStatus(403) |
37 | }) | 36 | }) |
38 | } | 37 | } |
39 | 38 | ||
40 | function decryptBody (req, res, next) { | ||
41 | peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) { | ||
42 | if (err) { | ||
43 | logger.error('Cannot decrypt data.', { error: err }) | ||
44 | return res.sendStatus(500) | ||
45 | } | ||
46 | |||
47 | try { | ||
48 | req.body.data = JSON.parse(decrypted) | ||
49 | delete req.body.key | ||
50 | } catch (err) { | ||
51 | logger.error('Error in JSON.parse', { error: err }) | ||
52 | return res.sendStatus(500) | ||
53 | } | ||
54 | |||
55 | next() | ||
56 | }) | ||
57 | } | ||
58 | |||
59 | // --------------------------------------------------------------------------- | 39 | // --------------------------------------------------------------------------- |
60 | 40 | ||
61 | module.exports = secureMiddleware | 41 | module.exports = secureMiddleware |
diff --git a/server/middlewares/validators/remote.js b/server/middlewares/validators/remote.js index c6455e678..858d193cc 100644 --- a/server/middlewares/validators/remote.js +++ b/server/middlewares/validators/remote.js | |||
@@ -4,20 +4,10 @@ const checkErrors = require('./utils').checkErrors | |||
4 | const logger = require('../../helpers/logger') | 4 | const logger = require('../../helpers/logger') |
5 | 5 | ||
6 | const validatorsRemote = { | 6 | const validatorsRemote = { |
7 | dataToDecrypt, | ||
8 | remoteVideos, | 7 | remoteVideos, |
9 | signature | 8 | signature |
10 | } | 9 | } |
11 | 10 | ||
12 | function dataToDecrypt (req, res, next) { | ||
13 | req.checkBody('key', 'Should have a key').notEmpty() | ||
14 | req.checkBody('data', 'Should have data').notEmpty() | ||
15 | |||
16 | logger.debug('Checking dataToDecrypt parameters', { parameters: { keyLength: req.body.key.length, bodyLength: req.body.data.length } }) | ||
17 | |||
18 | checkErrors(req, res, next) | ||
19 | } | ||
20 | |||
21 | function remoteVideos (req, res, next) { | 11 | function remoteVideos (req, res, next) { |
22 | req.checkBody('data').isEachRemoteVideosValid() | 12 | req.checkBody('data').isEachRemoteVideosValid() |
23 | 13 | ||
diff --git a/server/models/request.js b/server/models/request.js index 59bf440fe..c2cfe83ce 100644 --- a/server/models/request.js +++ b/server/models/request.js | |||
@@ -108,8 +108,7 @@ function makeRequest (toPod, requestEndpoint, requestsToMake, callback) { | |||
108 | 108 | ||
109 | const params = { | 109 | const params = { |
110 | toPod: toPod, | 110 | toPod: toPod, |
111 | encrypt: true, // Security | 111 | sign: true, // Prove our identity |
112 | sign: true, // To prove our identity | ||
113 | method: 'POST', | 112 | method: 'POST', |
114 | path: '/api/' + constants.API_VERSION + '/remote/' + requestEndpoint, | 113 | path: '/api/' + constants.API_VERSION + '/remote/' + requestEndpoint, |
115 | data: requestsToMake // Requests we need to make | 114 | data: requestsToMake // Requests we need to make |